ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 5 question 30 discussion

Actual exam question from Microsoft's AZ-500
Question #: 30
Topic #: 5
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

User1 is a member of Group1. Group1 and User2 are assigned the Key Vault Contributor role for Vault1.
On January 1, 2019, you create a secret in Vault1. The secret is configured as shown in the exhibit. The date format YYYY-MM-DD is used on the exhibit. (Click the Exhibit tab.)

User2 is assigned an access policy to Vault1. The policy has the following configurations:
✑ Key Management Operations: Get, List, and Restore
✑ Cryptographic Operations: Decrypt and Unwrap Key
✑ Secret Management Operations: Get, List, and Restore
Group1 is assigned an access policy to Vault1. The policy has the following configurations:
✑ Key Management Operations: Get and Recover
✑ Secret Management Operations: List, Backup, and Recover
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by dadageer at March 13, 2021, 11:05 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dadageer
Highly Voted 4 years, 5 months ago
Tested answers: 1) On Jan 1 2019 User 1 can view the password 1 - No (Error: Either this secret is disabled or you do not have the "Get" secret permission.) 2) On June 1 2019 User2 can view the password1 - YES 3) On June 1 2019 User1 can view the Password1 - No User 2 can see the Value no issues regardless of date because he has GET Secret Permission
upvoted 52 times
Sethoo
4 years, 4 months ago
Group 1 , which user 1 belongs to does not have the "Get" permission so that must explain your results in 1. I am surprised the result tested No for 3, i was expecting a yes because of the dates or because Group 1 does not have the "Get" permission, they don't have access to the password irrespective of the date. thank you for running the test
upvoted 3 times
dadageer
4 years, 4 months ago
Yes "Get" permission is must to see the password. Even if Secret is enabled and within valid date you get error "Either this secret is disabled or you do not have the "Get" secret permission"
upvoted 4 times
...
...
Daniel76
3 years, 2 months ago
Supported the answer above. Noted that although both User1 and User2 have key vault contributor access, that does not provide them access to secrets, certs, keys in the data plane. The Key Vault Contributor role is for management plane operations to manage key vaults. It does not allow access to keys, secrets and certificates.
upvoted 4 times
...
...
Fred64
Highly Voted 4 years, 3 months ago
activation and expiration date are just declarative. They involve no constraint in practice. So the only question is to have permission to decrypt key. The proposed answer is OK
upvoted 12 times
...
chesco00
Most Recent 1 year, 3 months ago
On exam 17/04/2024
upvoted 5 times
...
cris_exam
1 year, 6 months ago
Docs weren't really giving me the sureness so I tested this out and indeed the correct answers are: Y N Y. User1 cannot access because KV Contributor access is not enough and the Access policy rights for Group1 where User1 is a member of are also not enough to see the secret value. User2 of course has access, but because of the Access Policy, NOT due to the KV Contributor role. Hope this helps. Cheers!
upvoted 1 times
cris_exam
1 year, 6 months ago
oh man, good that I looked over this question here, I mistakenly written the wrong order of YES and NO. Correct answers are: No / YES / NO
upvoted 2 times
...
...
akshathajm
1 year, 6 months ago
NNN Setting Azure RBAC permission model invalidates all access policies permissions.
upvoted 1 times
...
Strive_for_greatness_kc
1 year, 6 months ago
NYN 1. No because Key Vault Contributor does allow to retrieve secrets, group1 does not have Get permission on Secrets 2.Yes User2 has GET permission on Secret 3. No Same as 1.
upvoted 1 times
...
epomatti
1 year, 7 months ago
When Vault access policy is enabled, RBAC permissions do not work. This is either a tricky question, or they made mistake writing the question.
upvoted 1 times
Jimmy500
1 year, 1 month ago
You assumption is completaly correct they should tell permisssion model of key vault
upvoted 1 times
...
...
wardy1983
1 year, 8 months ago
1) On Jan 1 2019 User 1 can view the password 1 - No (Error: Either this secret is disabled or you do not have the "Get" secret permission.) 2) On June 1 2019 User2 can view the password1 - YES 3) On June 1 2019 User1 can view the Password1 - No User 2 can see the Value no issues regardless of date because he has GET Secret Permission
upvoted 1 times
...
nahom20
1 year, 10 months ago
User 1/Group 1 doesnt have the option to decrypt or unwrap key ?
upvoted 2 times
...
Self_Study
2 years ago
still valid, still on exam
upvoted 5 times
...
majstor86
2 years, 5 months ago
NO YES NO
upvoted 5 times
...
paulb2b
3 years ago
create: Create a new key, or a new version of an existing key. import: Import a key from a PEM file. get: Retrieve an existing key. list: List all keys in the vault. delete: Delete a key. backup: Return a base64-encoded blob representing the key. restore: Use a blob obtained by the backup method to restore a key. do_operation: Carry out arbitrary REST operations on keys. Used by the above methods.
upvoted 2 times
...
tnagy
3 years, 1 month ago
Not sure how the answer is correct! They are should be No, No, No. Both users have Key Vault Contributor Role. According to Microsoft: Key Vault Contributor Role: Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
upvoted 1 times
tnagy
3 years, 1 month ago
"Get" Permission cannot allow you to see the password value. Only the public part of a key. https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys-details
upvoted 1 times
...
JakeCallham
2 years, 10 months ago
Not true, user2 belongs to group2 who has Get And List, get is needed to see the value of secret. List is just for see what the secrets are named, hence user1 doesnt see it
upvoted 2 times
...
...
scruzer
3 years, 5 months ago
on Exam 03/10/2022!!
upvoted 2 times
...
keymson
3 years, 5 months ago
Answers given Correct.
upvoted 1 times
...
Jco
3 years, 10 months ago
#exam ques # 29 Sep
upvoted 1 times
...
Vmwarevirtual
3 years, 10 months ago
On exam at 25 - Sep 2021 - The answers provide here are correct.
upvoted 1 times
orallony
3 years, 10 months ago
How do you know its true????
upvoted 2 times
JakeCallham
2 years, 10 months ago
Common logic and its very easy to test my friend. You need Get permissions to actually get the value of a secret.
upvoted 1 times
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel